What are the Limitations of Internal Controls?
A system of controls does not provide absolute assurance that the control objectives of an organization will be met. Instead, there are several inherent limitations in any system that reduce the level of assurance. These inherent limitations are as follows.
Collusion
Two or more people who are intended by a system of control to keep watch over each other could instead
collude to circumvent the system. Since this essentially eliminates a control, the probability of losses being incurred is greatly increased.
Human Error
A person involved in a control system could simply make a mistake, perhaps forgetting to use a control step. Or, the person does not understand how a control system is to be used, or does not understand the instructions associated with the system. This may be caused by the assignment of the wrong person to a task.
Management Override
Someone on the management team who has the authority to do so could override any aspect of a control system for his personal advantage.
Missing Segregation of Duties
A control system might have been designed with an insufficient segregation of duties, so that one person can interfere with its proper operation.
Consequently, it must be accepted that no system of internal controls is
perfect. There is always a way in which it can fail or be circumvented.
Internal control cannot be designed to provide reasonable assurance that
A. The recorded accountability for assets is compared with the existing assets at reasonable intervals.
B. Transactions are executed in accordance with management’s authorization.
C. Access to assets is permitted
only in accordance with management’s authorization.
D. Fraud will be eliminated.
Answer (D) is correct.
Internal control is a process designed to provide reasonable assurance regarding the achievement of the entity’s objectives. It can provide reasonable assurance regarding (1) reliability of financial reporting, (2) compliance with
applicable laws and regulations, and (3) effectiveness and efficiency of operations. Because of inherent limitations, however, no system can be designed to eliminate all fraud (AU-C 315).
Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity’s internal control?
A. Collusion among employees.
B.
Management override.
C. Incompatible duties.
D. Faulty judgment.
Answer (C) is correct.
Internal control has inherent limitations. The performance of incompatible duties, however, is a failure to assign different people the functions of authorization, recording, and asset custody, not an inevitable limitation of internal control.
Segregation of duties is a category of control activities.
Internal controls are designed to provide reasonable assurance that
A. Management’s planning, organizing, and directing processes are properly evaluated.
B. The internal auditing department’s guidance and oversight of management’s performance is accomplished economically and efficiently.
C. Management’s
plans have not been circumvented by worker collusion.
D. Material errors or fraud will be prevented, or detected and corrected, within a timely period by employees in the course of performing their assigned duties.
Answer (D) is correct.
Cost-effective controls should restrict deviations to a tolerable rate. Thus, material errors and improper
or illegal acts should be prevented, or detected and corrected, within a timely period by employees in the normal course of performing their assigned duties. Accordingly, the cost-benefit relationship is considered by management during the design of systems, and the potential loss associated with any exposure or risk is weighed against the cost to control it.
Which of the
following items is an example of an inherent limitation in an internal control system?
A. Segregation of employee duties.
B. Ineffective board of directors.
C. Understaffed internal audit functions.
D. Human error in decision making.
Answer (D) is correct.
Because of its inherent limitations, internal control can be designed and
operated to provide only reasonable assurance that the entity’s objectives are met. Thus, (1) human judgment is faulty, (2) controls may fail because of human error, (3) manual or automated controls can be circumvented by collusion, and (4) management may inappropriately override internal control. Moreover, custom, culture, the corporate governance system, and an effective control environment are not absolute deterrents to fraud. For example, if the nature of management incentives increases the
RMMs, the effectiveness of controls may be reduced. A factor that is an inherent limitation of an audit as well as internal control is the need to balance benefit and cost. Although the ability to provide only reasonable assurance is a primary design criterion for internal control, the precise measurement of costs and benefits is not feasible. However, costs should not exceed the benefits of control. Thus, the cost constraint limits internal control.
Which of the following is a component part of the COSO’s internal control framework?
A. Event identification.
B. Information systems.
C. Audit strategy and planning.
D. Audit risk.
Answer (B) is correct.
According to the COSO, an entity’s internal
control has five components: (1) the control environment, (2) risk assessment process, (3) control activities, (4) information systems, and (5) monitoring. The control environment sets the tone of an organization, influences control consciousness, and provides a foundation for the other components. Risk assessment is the identification, analysis, and management of risks relevant to achievement of objectives. Control activities help ensure that management directives are executed. The information
system consists of (1) physical and hardware components, (2) software, (3) people, (4) procedures, and (5) data. Monitoring assesses the performance of internal control over time.
The objective of the auditor is to identify and assess the risks of material misstatement (RMMs). The auditor therefore identifies and assesses RMMs
A. At the financial statement and relevant
assertion levels.
B. During initial audit planning only at the financial statement level.
C. For each assertion after considering the effects of internal control.
D. For assertions that are probable of being materially misstated.
Answer (A) is correct.
The objective of the auditor is to identify and assess the RMMs, whether due to
fraud or error, at the financial statement and relevant assertion levels. This objective is achieved through understanding the entity and its environment, including the entity’s internal control, to provide a basis for designing and implementing responses to the assessed RMMs. A relevant assertion has a reasonable possibility of containing a misstatement that could cause material misstatement(s) of the financial statements. Thus, a relevant assertion has a meaningful bearing on whether the
account is fairly stated.
An auditor is evaluating a client’s internal controls. Which of the following situations would be the most difficult internal control issue for an auditor to detect?
A. The technology department writes a program that does not properly implement the control due to a lack of understanding.
B. Two employees, who work in different departments, are
circumventing an internal control.
C. The accounting staff neglects the control due to increased transactions to be processed.
D. Someone erroneously disables edit checks in a software program designed to identify control exceptions.
Answer (B) is correct.
Because of its inherent limitations, internal control can provide only reasonable
assurance that the entity’s objectives are met. Thus, manual or automated controls can be circumvented by collusion of two or more people or by management override (AU-C 315). Fraud perpetrated by collusion may be difficult to detect because of schemes designed to conceal it.
Which of the following is an inherent limitation of internal control?
A. Collusion.
B.
Employee peer review.
C. Segregation of duties.
D. Judgmental sampling.
Answer (A) is correct.
Two or more people may collude, or management may override internal control.
Which of the following situations
represents a limitation, rather than a failure, of internal control?
A. A purchasing employee and an outside vendor participate in a kickback scheme.
B. A jewelry store employee steals a small necklace from a display cabinet.
C. A movie theater cashier sells reduced-price tickets to full-paying customers and pockets the difference.
D. A bank teller embezzles several hundred dollars from the cash drawer.
Answer (A) is correct.
Because of the inherent limitations of internal control, it can be designed to provide only reasonable assurance that the entity’s objectives are met. For example, (1) controls may fail because of human error, (2) management may override controls inappropriately, or (3) manual or automated controls may be circumvented by collusion (e.g., a kickback scheme involving a purchasing employee and an
outside vendor).
An auditor uses the knowledge provided by the understanding of internal control and the assessed risks of material misstatement primarily to
A. Modify the initial assessments of inherent risk and judgments about materiality levels for planning purposes.
B. Determine the nature, timing, and extent of substantive procedures for financial statement
assertions.
C. Determine whether the opportunities to allow any person to both perpetrate and conceal fraud are minimized.
D. Determine whether procedures and records concerning the safeguarding of assets are reliable.
Answer (B) is correct.
The auditor is required to obtain an understanding of the entity and its environment, including its
internal control, to assess the risks of material misstatement of the financial statements, whether due to fraud or error, to provide a basis for responding to the assessed RMMs. Regardless of the assessed RMMs, the auditor performs substantive procedures for all relevant assertions for material classes of transactions, account balances, and disclosures. Moreover, the auditor designs and performs further audit procedures whose nature, timing, and extent respond to the assessed RMMs at the
relevant assertion level.
An entity should consider the cost of a control in relationship to the risk. Which of the following controls best reflects this philosophy for a large dollar investment in heavy machine tools?
A. Placing security guards at every entrance 24 hours a day.
B. Having all dispositions approved by the vice president of sales.
C. Imprinting a
controlled identification number on each tool.
D. Conducting a weekly physical inventory.
Answer (C) is correct.
A controlled identification number on each tool and periodic checking allow for an effective control at reasonable cost.
Although substantive tests may support the accuracy of underlying information used in monitoring, these tests may provide no affirmative evidence of the effectiveness of monitoring controls because
A. Substantive tests rarely guarantee the accuracy of information used in monitoring if only a sample has been tested.
B. When procedures are computerized and leave no audit trail to indicate who performed them, substantive tests may necessarily be limited to inquiries and
observation.
C. The information used in monitoring may be accurate even though it is subject to ineffective control.
D. Substantive tests relate to the entire period under audit, but tests of controls ordinarily are confined to the period during which the auditor is on the client’s premises.
Answer (C) is correct.
When obtaining an
understanding of each of the five components of internal control (including monitoring), the auditor must perform procedures to understand the design of relevant controls and must determine whether controls have been implemented. If (s)he intends to rely on the controls, (s)he must also determine their effectiveness. However, when controls based on monitoring leave no audit trail, for example, documentation of design or operation, evidence about effectiveness of design or operation may be
obtained only by inquiries, observations, and computer-assisted audit methods. Moreover, substantive procedures likewise may provide no affirmative evidence of the effectiveness of monitoring controls because the information may be accurate even though controls over its creation are ineffective. Thus, the ineffectiveness of monitoring would not be revealed by substantive procedures unless the detection of material misstatements resulted in performance of additional audit procedures directed at
the controls.
Manual controls would most likely be more suitable than automated controls for which of the following?
A. Large, unusual, or nonrecurring transactions.
B. Situations with routine errors that can be predicted and corrected.
C. High-volume transactions that require additional calculations.
D. Circumstances that require a high degree of accuracy.
Answer (A) is correct.
Manual controls may be more suitable where judgment and discretion are required, such as (1) for large, unusual, or nonrecurring transactions; (2) for circumstances where misstatements are difficult to define, anticipate, or predict; (3) in changing circumstances that require a control response outside the scope of an
existing automated control; and (4) in monitoring the effectiveness of automated controls.
Which of the following represents an example of an inherent limitation of internal controls?
A. Shipping documents are not matched to sales invoices.
B. The CEO can override a control and request a check with no purchase order.
C. Customer credit checks are not
performed.
D. Bank reconciliations are not performed on a timely basis.
Answer (B) is correct.
Inherent limitations may exist and should be considered by the auditor. Human judgment can be faulty, controls can be circumvented by collusion, and management may inappropriately override controls. Thus, the CEO’s requesting a check with no
purchase order is possible because of an inherent limitation. It is an override of the internal control by management.
Which of the following best describes an inherent limitation that should be recognized by an auditor when considering the potential effectiveness of internal control?
A. Controls, whether manual or automated, whose effectiveness depends on segregation of
duties can be circumvented by collusion.
B. The competence and integrity of client personnel provide an environment conducive to control and provides assurance that effective control will be achieved.
C. Procedures designed to assure the execution and recording of transactions in accordance with proper authorizations are effective against fraud perpetrated by management.
D. The benefits expected to be derived from effective internal control usually do not exceed the costs of such
control.
Answer (A) is correct.
One of the inherent limitations of internal control is that it can be circumvented by collusion among persons both within and outside the entity. Thus, a control based on segregation of duties will be ineffective if a person in a position to commit fraud colludes with a person who can conceal it.
An auditor is concerned about management override as a limitation of internal control. Which of the following tests would best assess the validity of the auditor’s concern?
A. Matching purchase orders to accounts payable.
B. Reviewing minutes of board meetings.
C. Tracing sales orders to the revenue account.
D. Verifying that approved spending limits are not exceeded.
Answer (D) is correct.
To determine whether management has overridden approvals, the auditor should compare actual expenditures with budgeted amounts.
The primary objective of procedures performed to obtain an understanding
of internal control is to provide an auditor with
A. A basis for modifying tests of controls.
B. An evaluation of the consistency of application of management’s policies.
C. Evidence to use in assessing inherent risk.
D. Knowledge necessary for audit planning.
Answer (D) is correct.
The auditor is required to obtain an
understanding of the entity and its environment, including its internal control, to assess the risks of material misstatement of the financial statements, whether due to fraud or error, to provide a basis for responding to the assessed RMMs. The auditor obtains the understanding and assesses the RMMs to plan the audit. The audit plan describes (1) the risk assessment procedures, (2) further audit procedures at the assertion level, and (3) other procedures required by GAAS.
Which of the following factors would most likely be considered an inherent limitation to an entity’s internal control?
A. The lack of management incentives to improve the control environment.
B. The ineffectiveness of the board of directors.
C. Human judgment in the decision making process.
D. The complexity of the information processing system.
Answer (C) is correct.
Human judgment is faulty, and controls may fail because of simple error or mistake. For example, design changes for an automated order entry system may be faulty because the designers did not understand the system or because programmers did not correctly code the design changes. Errors also may arise when automated reports are misinterpreted by
users. Furthermore, manual or automated controls can be circumvented by collusion, and management may inappropriately override internal control.
In an audit of financial statements, an auditor’s primary consideration regarding an internal control is whether the control
A. Affects management’s financial statement assertions.
B. Provides adequate safeguards over access
to assets.
C. Relates to operational objectives.
D. Reflects management’s philosophy and operating style.
Answer (A) is correct.
Assertions are management representations embodied in the financial statements. They are used by the auditor to consider the different potential misstatements. A relevant assertion has a reasonable possibility
of containing a misstatement that could cause a material misstatement(s) of the financial statements. Thus, a relevant assertion has a meaningful bearing on whether the account is fairly stated. Tests of controls are designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level. They should be performed when (1) the auditor’s assessment of the RMMs at the relevant assertion level includes an expectation of
the operating effectiveness of controls or (2) substantive procedures alone do not provide sufficient appropriate evidence at the relevant assertion level. Thus, the auditor is primarily concerned with whether a control affects relevant financial statement assertions.
Which of the following is an inherent limitation in internal control?
A. Incompatible duties.
B. Lack
of segregation of duties.
C. Faulty human judgment.
D. Lack of an audit committee.
Answer (C) is correct.
Human judgment is faulty, and controls may fail because of human error.
Internal control can provide only
reasonable assurance of achieving an entity’s control objectives. The likelihood of achieving those objectives is affected by which limitation inherent to internal control?
A. Management monitors internal control.
B. The board of directors is active and independent.
C. The cost of internal control should not exceed its benefits.
D. The auditor’s primary responsibility is the detection of fraud.
Answer (C) is correct.
The cost of an entity’s internal control should not exceed the benefits that are expected to be derived. Although the cost-benefit relationship is a primary criterion that should be considered in designing internal control, the precise measurement of costs and benefits usually is not possible.
Which of the following statements is correct regarding internal control?
A. A well-designed and operated internal control environment should detect collusion.
B. An inherent limitation of internal control is that controls can be circumvented by management override.
C. A well-designed internal control environment ensures the achievement of an entity’s control objectives.
D. Internal control is a necessary business function and should be designed and operated to
detect all fraud and error.
Answer (B) is correct.
Because of its inherent limitations, internal control can be designed and implemented to provide only reasonable assurance that the entity’s objectives are met. Human judgment is faulty, and controls may fail because of human error. Furthermore, manual or automated controls can be circumvented
by collusion, and management may inappropriately override internal control.
Which of the following is an inherent limitation of any client internal control?
An inherent limitation of internal control is that controls can be circumvented by management override.
What are the inherent limitations of internal control system?
Some of the most common limitations of internal controls include providing reasonable assurance, collusion, human error, control override, poor judgment, cost and benefit consideration, improper communication to or training of employees, and unforeseen circumstances.
Which of the following represents an example of an inherent limitation of internal controls quizlet?
Which of the following represents an example of an inherent limitation of internal controls? The CEO can override a control and request a check with no purchase order.
Which of the following is inherent limitation of internal controls Mcq?
Following are the inherent limitations of internal control: Judgement, breakdowns, collusion, Management override, and abuse of authority etc. Hence, option C is correct.